How to retrieve one field from multiple responses?

greeshmak · ‎04-19-2017

I'm trying to retrieve a field from a response:

here is the example:

response=[{"code":0,"count":1,"mobile":"123456",},{"code":0,"count":2,mobile":"67891011",},{"code":0,"count":1,"mobile":"234567"},{"code":0,"count":1,"mobile":"2765432"},{"code":0,"count":1,"mobile":"8901234"}]}

I want to extract the mobile number from all braces, If i use extraction using kvdelim and pairdelim,I'm not able to extract all values, it is returning only first mobile value.

Can someone suggest how to extract every mobile number from the response.

Thanks in advance.

gokadroid · ‎04-19-2017

Since in you sample data, the mobile number comes always after keyword mobile however the " aren't always proper around it hence how about trying this:

your query to return the field response
| rex field=response max_match=0 "mobile(\D+)(?<mob>[\d]+)"
| table mob, response

This will create a multi-value field mob which will have all the mobile phone numbers which can be then used with mvexpand to tabulate or work upon something like below:

your query to return the field response
| rex field=response max_match=0 "mobile(\D+)(?<mob>[\d]+)"
| mvexpand mob
| table mob, response

How to retrieve one field from multiple responses?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms